From 6b73eeff0e35af0973993ed07eb51707840de789 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Mar 2026 14:21:55 +0000
Subject: [PATCH] ci: add minimum required permissions to all GitHub Actions
 workflows

Co-authored-by: mtracz <22484267+mtracz@users.noreply.github.com>
Agent-Logs-Url: https://github.com/blumilksoftware/php/sessions/76d44ae9-72d4-4b0f-9a3b-8d8876c4c238
---
 .github/workflows/check-dockerfile.yml | 3 +++
 .github/workflows/publish.yml          | 6 +++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/check-dockerfile.yml b/.github/workflows/check-dockerfile.yml
index 5add77d..d9c2b1b 100644
--- a/.github/workflows/check-dockerfile.yml
+++ b/.github/workflows/check-dockerfile.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Test Dockerfile build
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 2ead9b7..a731b62 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -5,6 +5,10 @@ on:
     tags:
       - v*
 
+permissions:
+  contents: read
+  packages: write
+
 env:
   IMAGE_NAME: php
 
@@ -21,7 +25,7 @@ jobs:
         run: docker build . --file ./Dockerfile --tag $IMAGE_NAME
 
       - name: Log into GitHub Container Registry
-        run: echo "${{ secrets.SECRET_TOKEN }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
 
       - name: Push image to GitHub Container Registry
         run: |